Correct, as you would then be contending with the path length portion of the 10 determistic citeria in the bgp protocol.
----- Original Message -----
From: "Scott Weeks" [surfer at mauigateway.com]
Sent: 08/29/2008 04:06 PM MST
To: <nanog at merit.edu>
Subject: Re: BGP Attack - Best Defense ?
----------- scg at gibbard.org wrote: --------------
From: Steve Gibbard <scg at gibbard.org>
On Fri, 29 Aug 2008, Scott Weeks wrote:
> I am signed up for the Prefix Hijack Alert System
> (phas.netsec.colostate.edu) and would be alerted in about 6 hours (or
> less?) about a prefix announcement change.
>> I then would deaggregate (as little as possible) to be able to announce
> the same more specific as the attacker.
Announcing the same prefix length as the attacker would get you back some
portion of your traffic, rather than all of it. You'd really want to
announce something more specific than what the attacker is announcing.
----------------------------------------------------
Let's say the attacker is announcing one or more /24s of mine and announcing a more specific is not possible. I figure it out somehow and begin announcing the same. The attacker doesn't stop his attack. What happens? The part of the internet closest in topology to me sends their traffic to me and the part of the internet closest to the attacker sends traffic to him?
------------------------------------------------------
Of course, then you'd need to get your upstreams to accept the more
specific, which might mean modifying filters. How quickly can you get
your upstreams to do that?
------------------------------------------------------
I have them do orlonger when I set up the BGP sessions, so I'm good to go. I have a /15 and two /16s fully aggregated, so I can announce anything smaller than that for TE. The worst I have done so far is use /17s to groom ingress traffic, but that was temporary. I now have enough BW to run BGP without turning any knobs
------------------------------------------------------
Also, please don't be like Covad. If you deaggregate to deal with a
highjacking, make your deaggregation temporary, and clean it up when it's
not needed anymore.
------------------------------------------------------
I won't. Learning from many here about netizenship I make sure I am a good boy. ;-)
scott
------------------------------------------------------------
> I would then try to contact the ASs still using the attack path to get
> it stopped. (Yell help on NANOG? ;-)
If you try to contact networks that are innocently hearing the
announcement, rather than those involved in propagating it, you'll have a
lot of networks to contact. A better move would be to contact those
originating the announcement (unless you think they're involved in
something malicious), and then their upstreams, and if that doesn't work,
their upstreams' upstreams.
Calling an upstream provider's NOC to ask them to modify a customer's
filters generally gets met with lots of skepticism. You'll almost
certainly be told that you have to be the customer whose filter it is to
ask to have it modified. You'll need to be quite firm, and will probably
need to ask to speak to somebody higher up than the front-line tech who
answers the phone. The very few times I've had to do this, I've also
found it quite useful to deemphasize their receiving of the prefix from a
customer, and emphasize that they were announcing it to the rest of the
world. "You are announcing our prefix, and you are not authorized to do
so," is a useful line.
-Steve
--------------------------------------------------------------
This e-mail may contain confidential and/or privileged information. If you are
not the intended recipient (or have received this e-mail in error) please
notify the sender immediately and destroy this e-mail. Any unauthorized
copying, disclosure or distribution of the material in this e-mail is strictly
forbidden.